A newly uncovered cybersecurity campaign has revealed a sophisticated threat actor exploiting outdated Fortinet FortiWeb web application firewall appliances to deploy the open-source Sliver Command and Control (C2) framework, enabling prolonged and covert access across multiple targeted networks.

Widespread Compromise of FortiWeb WAF Devices

Security researchers detected the campaign during open-directory threat hunting using Censys, where exposed Sliver databases and logs highlighted extensive malicious activity originating from compromised FortiWeb appliances. Many of the affected devices were running significantly outdated firmware versions, including releases from 5.4.202 up through 6.1.62, lacking integrated detection, monitoring, or up-to-date security protections.

While the exact FortiWeb exploit vector remains unconfirmed, evidence suggests the attacker leveraged public-facing vulnerabilities—including React2Shell (CVE-2025-55182) in conjunction with other unpatched weaknesses—to gain initial access into the FortiWeb management surface.

Sliver C2 Deployment and Naming Evasion

Upon successful compromise, the operator deployed the Sliver C2 framework, renaming the binary to “system-updater” and placing it under the path:

/bin/.root/system-updater

This disguise aligns with common evasion tactics intended to blend malicious binaries with legitimate system processes. The Sliver implants communicated with two primary command servers—ns1.ubunutpackages[.]store and ns1.bafairforce[.]army—hosted under Autonomous System 62005 and shielded by deceptive web content such as a fake “Ubuntu Packages” portal and an imitation Bangladesh Air Force recruitment site, likely tailored to target specific regional infrastructure.

Persistence Mechanisms and Proxy Infrastructure

To ensure long-term persistence, the threat actor configured malicious systemd and supervisor services labeled “Updater Service” and “rootbinary,” triggering automatic Sliver execution on system boot or process failure—corresponding to MITRE ATT&CK’s persistence techniques (T1543.002).

Beyond basic C2 connectivity, the actor deployed additional tooling to expand reach within victim networks. A publicly hosted Fast Reverse Proxy (FRP) binary was retrieved from a remote server and used to:

• Bridge internal network services to external attacker infrastructure
• Expose internal services for remote access over the internet

Furthermore, a SOCKS proxy implementation (Microsocks) was deployed, disguised as “cups-lpd” to mimic a CUPS printing service on TCP port 515, facilitating stealthy lateral access and potentially authenticated remote connections via hard-coded credentials.

Global Scope and Targeting Patterns

Analysis of telemetry between December 22 and December 30, 2025 identified at least 30 unique compromised IPs beaconing to Sliver C2 infrastructure. Affected hosts spanned diverse geographic regions, including Bangladesh, Pakistan, India, South Africa, and the United States, indicating both broad targeting and potential regional focus correlating with deceptive host infrastructure.

This campaign highlights a concerning trend wherein edge security appliances, such as FortiWeb WAFs—designed to defend networks—become privileged footholds when unpatched and internet-exposed. Without robust telemetry or endpoint detection integrated on these systems, attackers can leverage them to maintain covert, long-term access and proxy internal resources outward with minimal visibility.